Executive Summary
Summary | |
---|---|
Title | Fraudulent Digital Certificates Could Allow Spoofing |
Informations | |||
---|---|---|---|
Name | KB2524375 | First vendor Publication | 2011-03-23 |
Vendor | Microsoft | Last vendor Modification | 2011-07-06 |
Severity (Vendor) | N/A | Revision | 5.0 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : | |||
---|---|---|---|
Cvss Base Score | Not Defined | Attack Range | Not Defined |
Cvss Impact Score | Not Defined | Attack Complexity | Not Defined |
Cvss Expoit Score | Not Defined | Authentication | Not Defined |
Calculate full CVSS 2.0 Vectors scores |
Detail
Microsoft is aware of nine fraudulent digital certificates issued by Comodo, a certification authority present in the Trusted Root Certification Authorities Store, on all supported releases of Microsoft Windows, Windows Mobile 6.x, Windows Phone 7, Microsoft Kin, and Zune HD devices. Comodo advised Microsoft on March 16, 2011 that nine certificates had been signed on behalf of a third party without sufficiently validating its identity. These certificates may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer. These certificates affect the following Web properties: Comodo has revoked these certificates, and they are listed in Comodos current Certificate Revocation List (CRL). In addition, browsers which have enabled the Online Certificate Status Protocol (OCSP) will interactively validate these certificates and block them from being used. An update to help address this issue is available for all supported releases of Windows, Windows Mobile 6.x devices, and Zune HD devices. As of May 3, 2011, the update is also beginning to be delivered to Windows Phone 7 customers. For more information about this update, see Microsoft Knowledge Base Article 2524375. For supported releases of Microsoft Windows, typically no action is required of customers to install this update, because the majority of customers have automatic updating enabled and this update will be downloaded and installed automatically. For more information, including how to manually install this update and how to install the update on Windows Mobile 6.x, Windows Phone 7, and Zune HD devices, see the Suggested Actions section of this advisory. For more information about this issue, see the following references: This advisory discusses the following software and devices. *Server Core installation affected. This update applies, with the same severity rating, to supported editions of Windows Server 2008 or Windows Server 2008 R2 as indicated, whether or not installed using the Server Core installation option. For more information on this installation option, see the TechNet articles, Managing a Server Core Installation and Servicing a Server Core Installation. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options. Why was this advisory revised July 6, 2011? The update for Microsoft Kin is unavailable at this time. Microsoft will issue an update for this device when testing is complete, to ensure a high degree of quality for its release. Why were Zune 4GB, Zune 8GB, Zune 16GB, Zune 30GB, Zune 80GB, and Zune 120GB devices removed from the Affected Software and Devices table? Why was this advisory revised May 10, 2011? The updates for Microsoft Kin and Zune devices are unavailable at this time. Microsoft will issue updates for these devices when testing is complete, to ensure a high degree of quality for their release. Why was this advisory revised May 3, 2011? The updates for Windows Mobile 6.x, Microsoft Kin, and Zune devices are unavailable at this time. Microsoft will issue updates for these devices when testing is complete, to ensure a high degree of quality for their release. Why was this advisory revised April 19, 2011? The updates for Windows Mobile 6.x, Windows Phone 7, Microsoft Kin, and Zune devices are unavailable at this time. Microsoft will issue updates for these devices when testing is complete, to ensure a high degree of quality for their release. What is cryptography? In all forms of cryptography, a value known as a key is used in conjunction with a procedure called a crypto algorithm to transform plaintext data into ciphertext. In the most familiar type of cryptography, secret-key cryptography, the ciphertext is transformed back into plaintext using the same key. However, in a second type of cryptography, public-key cryptography, a different key is used to transform the ciphertext back into plaintext. What is a digital certificate? What are certificates used for? What is a certification authority (CA)? What caused the issue? Note Comodo has revoked these certificates, and they are listed in Comodos current Certificate Revocation List (CRL). What might an attacker use the vulnerability to do? What is a man-in-the-middle attack? What is the procedure for revoking a certificate? An alternative way for Web browsers to validate the identity of a digital certificate is by using the Online Certificate Status Protocol (OCSP). OCSP allows interactive validation of a certificate by connecting to an OCSP responder, hosted by the Certificate Authority (CA) which signed the digital certificate. Every certificate should provide a pointer to the OCSP responder location through the Authority Information Access (AIA) extension in the certificate. In addition, OCSP stapling allows the Web server itself to provide an OCSP validation response to the client. OCSP validation is enabled by default on Internet Explorer 7 and later versions of Internet Explorer on supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. On these operating systems, if the OCSP validation check fails, the browser will validate the certificate by contacting the CRL Location. For more information on certificate revocation checking, see the TechNet article, Certificate Revocation and Status Checking. What is a Certificate Revocation List (CRL)? What is CRL Distribution Point (CDP)? What is Online Certificate Status Protocol (OCSP)? What is Microsoft doing to help with resolving this issue? If there is no issue in Microsoft software, why is Microsoft releasing an update? However, when certificate revocation checks fail due to network and connectivity issues, browsers and other client applications, including Internet Explorer, may ignore these errors and consider the certificate trustworthy due to the lack of proof otherwise. In these scenarios, customers may still be affected. What does the update do? How do I know if Ive encountered an invalid certificate error? Users are only presented this message when the certificate is determined to be invalid, for instance when the user has Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP) validation enabled. OCSP validation is enabled by default on Internet Explorer 7 and later versions of Internet Explorer on supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. After applying the update, how can I verify the certificates in the Untrusted Certificates folder? In the Certificates MMC snap-in, verify that the following certificates have been added to the Untrusted Certificates folder: An update is available to help address this issue. The majority of customers have automatic updating enabled and will not need to take any action because this update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871. For administrators and enterprise installations, or end users who want to install this update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service. The update is also available from the Microsoft Download Center; see Microsoft Knowledge Base Article 2524375 for download links. At the time of release, the update is not available for all Windows Phone 7 customers; instead, customers will receive an on-device notification once the update is available for their phone. To learn more or to install the update, Windows Phone 7 customers will have to connect their phone to a computer and use the Zune PC client or Windows Phone 7 Connector (for Mac) to complete the update process. For more information about the update, see Microsoft Knowledge Base Article 2524375. To update the Zune PC client, customers can configure automatic updating to check online for updates from Microsoft Update by using the Microsoft Update service. Customers who have automatic updating enabled and configured to check online for updates from Microsoft Update typically will not need to take any action to update their Zune software because this update will be downloaded and installed automatically. The update is available for download from the Microsoft Download Center. For more information about the update and download links, see Microsoft Knowledge Base Article 2524375. The update is available through the Zune PC client. The update is applied when the Zune HD device is connected to the updated Zune software. For more information about the update, see Microsoft Knowledge Base Article 2524375. To update the Zune PC client, customers can configure automatic updating to check online for updates from Microsoft Update by using the Microsoft Update service. Customers who have automatic updating enabled and configured to check online for updates from Microsoft Update typically will not need to take any action to update their Zune software because this update will be downloaded and installed automatically. For more information about this issue, see Microsoft Knowledge Base Article 2524375. We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. Customers can learn more about these steps by visiting Protect Your Computer. For more information about staying safe on the Internet, visit Microsoft Security Central. Users running Microsoft software should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Microsoft Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have automatic updating enabled and configured to provide updates for Microsoft products, the updates are delivered to you when they are released, but you should verify that they are installed. |
Original Source
Url : http://www.microsoft.com/technet/security/advisory/2524375.mspx |
Alert History
Date | Informations |
---|---|
2014-02-17 11:38:39 |
|
2014-01-19 21:29:40 |
|
2013-02-06 19:08:06 |
|